Somewhat Non-Committing Encryption and Efficient Adaptively Secure Oblivious Transfer

Somewhat Non-Committing Encryption

and Efficient Adaptively Secure Oblivious Transfer

Juan A. Garay∗ Daniel Wichs† Hong-Sheng Zhou‡

April 15, 2009

Abstract

Designing efficient cryptographic protocols tolerating adaptive adversaries, who are able to corrupt parties on the fly as the computation proceeds, has been an elusive task. Indeed, thus far noefficientprotocols achieve adaptive security for general multi-party computation, or even for many specific two-party tasks such as obliv-ious transfer (OT). In fact, it is difficult and expensive to achieve adaptive security even for the task ofsecure communication, which is arguably the most basic task in cryptography.

In this paper we make progress in this area. First, we introduce a new notion calledsemi-adaptivesecurity which is slightly stronger than static security butsignificantly weaker than fully adaptive security. The main difference between adaptive and semi-adaptive security is that, for semi-adaptive security, the simulator is not required to handle the case wherebothparties start out honest and one becomes corrupted later on during the protocol execution. As such, semi-adaptive security is much easier to achieve than fully adaptive security. We then give a simple, generic protocol compiler which transforms any semi-adaptively secure protocol into a fully adaptively secure one. The compilation effectively decomposes the problem of adaptive security into two (simpler) problems which can be tackled separately: the problem of semi-adaptive security and the problem of realizing a weaker variant of secure channels.

We solve the latter problem by means of a new primitive that we callsomewhat non-committing encryption resulting in significant efficiency improvements over the standard method for realizing (fully) secure channels using (fully) non-committing encryption. Somewhat non-committing encryption has two parameters: an equiv-ocality parameter`(measuring the number of ways that a ciphertext can be “opened”) and the message sizesk. Our implementation is very efficient for small values`,evenwhenkis large. This translates into a very efficient compilation of many semi-adaptively secure protocols (in particular, for a task with small input/output domains such as bit-OT) into a fully adaptively secure protocol.

Finally, we showcase our methodology by applying it to the recent Oblivious Transfer protocol by Peikertet al.[Crypto 2008], which is only secure against static corruptions, to obtain the first efficient, adaptively secure and composable OT protocol. In particular, to transfer ann-bit message, we use a constant number of rounds andO(n)public key operations.

1

Introduction

When defining the security of cryptographic protocols, we generally strive to capture as wide a variety of adver-sarial attacks as possible. The most popular method of doing so is thesimulation paradigm[GMW87] where the security of a real-world protocol is compared to that of an ideal-world (perfectly secure) implementation of the same task. Within the simulation paradigm there are several flavors. Firstly, basic simulation only guarantees security for single copy of a protocol executing in isolation. TheUniversal Composability(UC) framework [Can01,Can05] extends the simulation paradigm and defines security for protocols executed in arbitrary environments, where ex-ecutions may be concurrent and even maliciously interleaved. Secondly, we generally distinguish betweenstatic andadaptivesecurity. Static security protects against an adversary who controls some fixed set of corrupted parties throughout the computation. Adaptive security, on the other hand, defends against an adversary who can corrupt parties adaptively at any point during the course of the protocol execution (for example by bribing them or hacking

∗

AT&T Labs – Research, 180 Park Avenue, Florham Park, NJ 07932, USA. Email:[email protected].

†

Computer Science Department, New York University, NY 10012, USA. Email:[email protected].

‡

into their machines). For adaptive security, we also make a distinction between theerasure model, where honest parties are trusted to securely erase data as mandated by the protocol, and thenon-erasure model, where no such assumptions are made. Given the difficulty of erasing data securely it is valuable to construct protocols in the latter model, which is the subject of this work.

The seminal result of [CLOS02] shows that it is theoretically possible to design an adaptively secure and uni-versally composable protocol for almost any task assuming the presence of some trusted setup such as a randomly selected common reference string (CRS). Unfortunately, the final protocol of [CLOS02] should be viewed as a purely theoreticalconstruction. Its reliance on expensive Cook-Levin reductions precludes a practical implemen-tation. Alternative efficient approaches to two-party and multi-party computation received a lot of attention in the recent works of [DN03,KO04,GMY04,JS07,LP07,IPS08,Lin09]. However, all of these results sacrifice some aspect of security to get efficiency. Concretely, the work of [LP07] only provides stand-alone static security, [JS07] provides UC static security, [GMY04, Lin09] provide UC/concurrent adaptive security but only in the erasure model, and [DN03] provides UC adaptive security but only for an honest majority, and [KO04] do not allow for an adversary that eventually corruptsallparties. The recent work of [IPS08]canprovide UC adaptive security but only given an efficient adaptively secure Oblivious Transfer (OT) protocol. However, as we will discuss, no such protocols were known. Lastly, we mention the work of [CDD+04], which gives a generic compiler from static to adaptive security using secure channels. Unfortunately, this compiler does not provide full adaptive security (does not allow for post-execution corruptions) and, as was noted in [Lin09], crucially relies on rewinding and hence cannot be used in the UC framework.

Indeed, thus far no efficient protocols for general multi-party computation, or even for many specific two-party function evaluation tasks, achieve adaptive security. This is not surprising given the difficulty of realizing adaptive security for even the most fundamental task in cryptography: secure communication. As was observed in [CFGN96], standard security notions for encryption do not suffice. Adaptively secure communication schemes, also callednon-committing encryptionschemes, were introduced and constructed in [CFGN96] and studied further in [Bea97,DN00], but these protocols are fairly complicated and inefficient for large messages.

It turns out that many useful two-party tasks (e.g., Oblivious Transfer, OR, XOR, AND, Millionaires’ problem, etc.) arestrictly harderto achieve than secure communication, the reason being that these tasks allow two honest parties to communicate by using the corresponding ideal functionality. For example, using Oblivious Transfer (OT), an honest sender can transfer a message to a receiver by setting it asbothof his input values. Therefore, an adaptively secure OT protocol for the transfer ofkbit messages can be used as a non-committing encryption of ak bit message and so all of the difficulty and inefficiency of non-committing encryption mustalsoappear in protocols for tasks such as OT. Further, unlike secure communication, many tasksalsorequire security against the active and malicious behavior of theparticipants. This might lead us to believe that the two difficulties will be compounded making efficient adaptively secure implementations of such tasks infeasible or too complicated to contemplate.

Taking Oblivious Transfer as an example, this indeed seems to be the case. The recent work of [LZ09], proves a (black-box) separation between enhanced trapdoor permutations (which allow for static OT) and adaptively secure OT, showing that the latter is indeed “more complex” in a theoretical sense. This complexity is reflected in practice as well. We are aware of only two examples (albeit inefficient) of adaptively secure OT protocols, from [Bea98] and [CLOS02]. Both of these works first construct an OT protocol for the honest-but-curious setting and then compile it into a fully-secure protocol using generic and inefficient zero knowledge proofs. In both constructions, the underlying honest-but-curious OT protocols rely on ideas from non-committing encryption1and hence inherit its complexity. Since the full constructions require us to run zero knowledge proofson top of the complex underlying honest-but-curious protocol, there is little hope of making them efficient by only using proofs for simple relations. This is in contrast to static security (and adaptive security in the erasure model) for which wehaverecently seen efficient constructions of OT protocols. For example, [GMY04,JS07, DNO08] construct OT protocols by only using simple and efficient zero-knowledge proofs. Interestingly, Ishaiet al.[IKLP06] give the first OT protocol constructions against malicious corruptionswithoutusing zero knowledge proofs; this result was later strengthened in [Hai08]. Two very recent and efficient concrete protocols not using zero-knowledge proofs are given in [PVW08, Lin08]. The protocol of [PVW08] is particularly exciting since it is a UC-secure protocol in the CRS model which runs in two rounds and uses a constant number of public key operations. Achieving adaptive security based on these protocols has, however, remained as an open problem.

1_{The protocol of [Bea98] implicitly uses the plug-and-play approach from [Bea97], while the protocol of [CLOS02] uses non-committing}

In summary, we can use ideas from non-committing encryption to get honest-but-curious adaptively secure OT protocols,orwe can use various clever ideas to achieve static security in the malicious setting, but there has been no known way tocombinethese techniques.

1.1 Our contributions

In this work we construct the first efficient (constant round, constant number of public-key operations) adaptively secure Oblivious Transfer protocol in the non-erasure model. Along the way we develop several techniques of independent interest which are applicable to adaptive security in general.

First, we introduce a new notion calledsemi-adaptivesecurity which is slightly stronger than static security but significantly weaker than fully adaptive security. In particular, a semi-adaptively secure protocol for a task like OT,does notyield a non-committing encryption scheme and hence does not (necessarily) inherit its difficulty. We then give a generic compiler which transforms any semi-adaptively secure protocol into a (fully) adaptively secure protocol. The compiler is fairly simple: we take the original protocol and execute it over a secure communication channel (i.e., all communication from one party to another is sent over a secure channel). The compilation effec-tively decomposes the problem of adaptive security into two (simpler) problems which can be tackled separately: the problem of semi-adaptive security and the problem of realizing secure channels. We note that a similar compiler was studied in [CDD+04]. As we mentioned, that compiler only works in the stand-alone setting and transforms a statically secure protocol into one which is adaptively securewithout post-execution corruptions. In contrast, our protocol works in the UC setting, and results in fully adaptive security, but requires the starting protocol to be semi-adaptively secure (a new notion which we formally define later).

Unfortunately, we saw that the construction of secure-channels is a difficult problem and existing solutions are not very efficient. Also, as we already mentioned, we cannot completely bypass this problem since adaptive security for many tasksimpliessecure channels. However, for the sake of efficiency, we would like to limit the use of secure channels (and hence the use of non-committing encryption) to a minimum. For example, we know that an OT protocol for one-bit messages implies a non-committing encryption of a one-bit message. However, to get adaptive security for a bit-OT protocol, our compiler, as described above, would use non-committing encryption to encrypt theentireprotocol transcript, and hence much more than one bit!

We fix this discrepancy by introducing a new notion calledsomewhat non-committing encryption. Somewhat non-committing encryption has two parameters: the equivocality`(measuring just hownon-committingthe scheme is) and the message sizek. We first observe that somewhat non-committing encryption is efficient for small values of the equivocality parameter`,evenwhenkis large (i.e., when we encrypt long messages). Secondly, we observe that our compiler can use somewhat non-committing encryption where the equivocality`is proportional to the size of the input and output domains of the functionality. As a result, we obtain a very efficient compiler transforming any semi-adaptively secure protocol for a task with small input/output domains (such as bit-OT) into a fully adap-tively secure protocol. We also show that this methodology can, in special cases, be applied to tasks with larger domain sizes such as string-OT with long strings.

We apply our methodology to the OT protocol of Peikert et al.[PVW08], resulting in the first efficient and adaptively secure OT protocols. Peikertet al.actually present a general framework for constructing static OT, and instantiate this framework using the Quadratic Residuocity (QR), Decisional Diffie-Hellman (DDH), and Lattice-based assumptions. In this work, we concentrate on the QR and DDH Lattice-based schemes. We show that relatively small modifications suffice to make these schemes semi-adaptively secure. We then employ our compiler, using somewhat non-committing encryption, to convert them into (fully) adaptively UC-secure OT protocols.

1.2 Concurrent and independent work

an extremely efficient adaptively-secure OT protocol using a constant number of rounds andO(n)public-key op-erations to transfer ann-bit string.2 In contrast, the compiler of [CDMW09] shows how to base adaptively-secure OT on a simulatable cryptosystem in a black-box way, but at the expense of runningΩ(λ2)copies of the underlying semi-honest OT protocol, whereλis the security parameter, and thus requiringΩ(λ2n) operations forn-bit OT. Therefore our protocol can be significantly more efficient.

To avoid diluting the main ideas of the paper, we put all proofs in the appendix, together with background material, efficiency considerations, our enhanced version of the QR dual-mode cryptosystem, and our DDH version of adaptively secure bit- and string-OT.

2

Somewhat Non-Committing Encryption and Adaptive Security

2.1 Adaptive security in two-party protocols

What are some of the challenges in achieving adaptive security for a two-party protocol? Let’s assume that a protocolπbetween two partiesP0, P1 realizes a taskF with respect to static adversaries. That means that there is a static simulator which can simulate the three basic cases: both parties are honest throughout the protocol, exactly one party is corrupted throughout the protocol or both parties are corrupted throughout the protocol. To handle adaptive adversaries, we require two more capabilities from our simulator: the ability to simulate afirst corruption (i.e., the case that both parties start out honest and then one of thembecomescorrupted) and simulating thesecond corruption(i.e., the case that one party is already corrupted and the other party becomes corrupted as well).

Simulating the first corruption is often the harder of the two cases. The simulator must produce the internal state for the corrupted party in a manner that is consistent with the protocol transcript so far and with the actual inputs of that party (of which the simulator had no prior knowledge). Moreover, the simulator needs to have all the necessary trapdoors to continue the simulationwhile only one party is corrupted. Achieving both of these requirements at once is highly non-trivial and this is one of the reasons why efficient protocols for adaptively secure two-party computation have remained elusive.

Interestingly, simulating the first corruption becomes much easier if the protocolπ employs secure channels for all communication between parties. At a high level, the simulator does not have to do any work while both parties are honest, since the real-world adversary does not see any relevant information during this time! When the first partybecomescorrupted, we can just run a static simulation for the scenario in which this partywascorrupted from the beginning but acting honestly and using its input. Then, we can “lie” and pretend that this communication (generatedex post facto) actually took placeover the secure channel when both parties were honest. The lying is performed by setting the internal state of the corrupted party accordingly. Since our lie corresponds to the simulation of a statically corrupted party (which happens to act honestly), all of the trapdoors are in place to handle future mischievous behavior by that (freshly corrupted) party. The only problem left is in handling the second corruption – but this is significantly easier! To formalize this, we will define a notion of semi-adaptive security where the simulator needs to be able to simulate static corruptions as well as the case where one party starts out corrupted and the other party becomes corrupted later on (but not the case where both parties start out honest and may become corrupted later). The formal notion (with some additional restrictions imposed on the simulator) appears inSection 2.4. Informally, we have argued the following claim:

Claim 2.1. (Simplified and incorrect version) Assume that a two-party protocolπfor a taskF is semi-adaptively secure. Then the protocol is also fully adaptively secure if all communication between the parties is sent over an idealized secure channel.

The above claim (when formalized and corrected) will already allow us to compile many protocols for tasks like OT into adaptively secure ones. However, we would like to improve the efficiency of this compilation. Unfortu-nately, idealized secure channels are hard to achieve physically and implementing such channels cryptographically in the real world requires the inefficient use ofnon-committing encryptionto encrypt the entire protocol transcript. Luckily, it turns out that we often do not need to employ fully non-committing encryption to make the transfor-mation ofClaim 2.1hold. We define a weaker primitive called somewhat non-committing encryptionand show that this primitive can be implemented with significantly greater efficiency than (fully) non-committing encryption.

Finally, we show that somewhat non-committing encryption is oftengood enoughto transform a semi-adaptively secure protocol into a fully adaptively secure protocol when the sizes of the input/output domains are small.

2.2 Definingsomewhatnon-committing encryption

Let us first recall the notion of non-committing encryption from [CFGN96]. This is a protocol used to realize secure channels in the presence of anadaptiveadversary. In particular, this means that a simulator can produce “fake” ciphertexts and later explain them as encryptions of any possible given message. The idea of realizing secure channels against adaptive adversaries as part of a compilation of adaptively secure protocols goes back to [BH92] where this is done in the erasure model. Several non-committing encryption schemes in the non-erasure model have appeared in literature [CFGN96, Bea97, DN00] but the main disadvantage of such schemes is the computational cost. All of the schemes are interactive (which was shown to be necessary in [Nie02]) and the most efficient schemes requireΩ(1)public-key operations (e.g. exponentiations)per bitof plaintext.3

We notice that it is often unnecessary to require that the simulator can explain a ciphertext as the encryption of any later-specified plaintext. Instead, we define a new primitive, which we call somewhat non-committing encryption, where the simulator is given a set of`messages during the generation of the fake ciphertext and must later be able to plausibly explain the ciphertext as the encryption ofany one of those`messages. In a sense, we distinguish between two parameters: the plaintext size (in bits)kand the equivocality`(the number of messages that the simulator can plausibly explain). For fully non-committing encryption, the equivocality and the message size are related by`= 2k. Somewhat non-committing encryption, on the other hand, is useful in accommodating the case where the equivocality`is very small, but the message sizekis large.

FunctionalityF_SCN

The ideal functionalityF_SCN interacts with an initiatorI and a receiverR. It consists of a channel-setup phase, after which the two parties can send arbitrarily many messages from one to another. The functionality is parameterized by a non-information oracleN. It verifies thatsid = (I, R,sid0)is consistent for all received messages and ignores otherwise.

Channel setup: Upon receiving an input(ChSetup,sid, I)from partyI, initialize the machineN and record the tuple

(sid,N). Pass the message(ChSetup, I)toR. In addition, pass this message toN and forward its output toS.

Message transfer: Upon receiving an input(Send,sid, P, m)from partyP whereP ∈ {I, R}, find a tuple(sid,N) and, if none exists, ignore the message. Otherwise, send the message(Send,sid, P, m)to theotherpartyP = {I, R} − {P}. In addition, invokeN with(Send,sid, P, m)and forward its output to the adversaryS.

Corruption: Upon receiving a message(Corrupt,sid, P)from the adversary, send(Corrupt,sid, P)toN and for-ward its output to the adversary. After the first corruption, stop the execution ofN and give the adversaryS complete control over the functionality (i.e. the adversarySlearns all inputs and can specify any outputs).

Figure 1: The parameterized secure-channel ideal functionality,F_SCN .

It is challenging to define an ideal-functionality forsomewhatnon-committing encryption, for the same reason that it is difficult to define ideal functionalities for many useful primitives likewitness indistinguishableproofs of knowledge: the ideal world often captures a notion of security which istoostrong. Here, we take the approach of [CK02] where ideal-world functionalities are weakened by the inclusion of anon-information oraclewhich is a PPT TM that captures the information leaked to the adversary in the ideal world. The ideal world functionality for secure channels inFigure 1, is parameterized using a non-information oracleN which gets the values of the exchanged messagesmand outputs some side information to the adversaryS. The security of the secure channel functionalityF_SCN depends on the security properties required for the machineN and thus we can capture several meaningful notions. Let us first start with the most secure option which captures (fully) non-committing encryption.

Definition 2.2. LetNfullbe the oracle, which, on input(Send,sid, P, m), produces the output(Send,sid, P,|m|) and, on any inputs corresponding to theChSetup,Corruptcommands, produces no output. We call the

function-3_{No such lower bound has appeared in literature and proving it, or providing a more efficient scheme, seems like an interesting though}

alityF_SCNfull, or justFSCfor brevity, a(fully) non-committing secure channel. A real-world protocol which realizes

FSCis called anon-committing encryption scheme (NCE).

In the above definition, the oracle N never reveals anything about messages m exchanged by two honest parties, even if (both of the) parties later get corrupted. Hence the functionality is fullynon-committing. To define somewhatnon-committing encryption we first start with the following definitions of non-information oracles.

Definition 2.3. A machineRis called amessage-ignoringoracle if, on any input(Send,sid, P, m), it ignores the valuemand processes only the input(Send,sid, P,|m|). A machineMcalled amessage-processingoracle if it has no such restrictions. We call a pair of machines(M,R)well-matchedif no PPT distinguisherD(with oracle access to eitherMorR) can distinguish the message-processing oracleMfrom the message-ignoring oracleR.

We are now ready to define the non-information oracle used by a somewhat non-committing secure channel ideal functionality.

Definition 2.4. Let (M,R) be a well-matched pair which consists of a processing and a message-ignoring oracle respectively. LetN`be a (stateful) oracle with the following structure.

Upon initialization,N` chooses a uniformly random indexi← {$ 1, . . . , `}. In addition it initializes a tuple of

`independentTMs:hN1, . . . ,N`iwhereNi =Mand, forj6=i, the machinesNjare independent copies of

the message-ignoring oracleR.

WheneverN` receives inputs of the form(ChSetup,sid, P)or(Send,sid, P, m), it passes the input to each machineNi receiving an outputyi. It then outputs the vector(y1, . . . , y`).

Upon receiving an input(Corrupt,sid, P), the oracle reveals the internal state of the message-processing oracleNionly.

For any such oracleN`, we call the functionalityF<sub>SC</sub>N`an`-equivocal non-committing secure channel. For brevity, we will also use the notationF<sub>SC</sub>` to denoteF_SCN` for some such oracle N`. Lastly, a real world protocol which realizesF_SC` is called an`-equivocal non-committing encryption scheme (`-NCE).

As before, no information about messagesmis revealed during the “send” stage. However, the internal state of the message-processing oracleNi, which is revealed upon corruption, might be “committing”. Nevertheless,

a simulator can simulate the communication between two honest parties over a secure channel, as modeled by

F`

SC, in a way that allows him to later explain this communication as any one of ` possibilities. In particular, the simulator creates` message-processing oracles and, for everySend command, the simulator chooses ` dis-tinct messagesm1, . . . , m` that he passes to the oraclesM1, . . . ,M`respectively. Since message-processing and

message-ignoring oracles are indistinguishable, this looks indistinguishable from the side-information produced by

F`

SC. Later, when a corruption occurs, the simulator can convincingly explain the entire transcript of communi-cation to any one of the`possible options, by providing the internal state of the appropriate message-processing oracleMi.

2.3 The`-NCE scheme construction

The construction of`-NCE is based on asimulatable public-key system, which was defined in [DN00]. A simu-latable public-key system is one in which it is possible to generate public keys obliviously, without knowing the corresponding secret key, and to explain an honestly (non-obliviously) generated public key as one which was obliviously generated. In a similar way, there should be a method for obliviously generating ciphertexts (without knowing any plaintext) and to explain honestly generated (non-oblivious) ciphertexts as obliviously generated ones. We review the syntax and security properties of such a scheme inAppendix B. Our`-NCE protocol construction, shown inFigure 2, uses a fully non-committing secure channel, but only to send avery shortmessage during the setup phase. Hence, for long communications, our`-NCE scheme is significantly more efficient than (full) NCE.

Let(KG,Enc,Dec)be anoblivious public key system andKGf,Encg be the correspondingoblivious key generatorand oblivious ciphertext generator algorithms. Furthermore, let(KGsym,Encsym,Decsym)be a symmetric key encryption scheme in which the ciphertexts are indistinguishable from uniformly random values of the same length.

Channel Setup.An initiatorIsets up a channel with a receiverRas follows:

1. The initiatorIsends a random indexi∈ {1, . . . , `}toRover a fully non-committing secure channel.

2. The initiatorIgenerates`public keys. Forj ∈ {1, . . . , `} \ {i}, the keyspk_j ← KGf()are sampled obliviously, while(pk_i, sk_i)←KG()is sampled correctly. The keyspk₁, . . . , pk_`are sent toRwhileIstoressk_i.

3. The receiver Rchooses a random key K ← KGsym and computesC_i = Enc_pki(K)correctly. In addition, R samplesC_j←Encgpkj()obliviously forj∈ {1, . . . , `} \ {i}and sends the ciphertextsC1, . . . , C`toI.

4. The initiatorIdecrypts the keyK←Dec_ski(C_i). Both parties store the tuple(K, i).

Encryption.An initiatorIencrypts a messagemto a receiverRas follows:

1. The initiatorI computesC_i ← Encsym_K (m)and choosesC_j for j ∈ {1, . . . , `} \ {i}as uniformly random and independent values of length|C<sub>i</sub>|. The tuple(C<sub>1</sub>, . . . , C<sub>`</sub>)is sent toR.

2. The receiverRignores all values other thanC_i. It computesm←Decsym_K (C_i).

Figure 2: Construction of an`-NCE protocol.

InAppendix Cwe analyze the efficiency of the above scheme with appropriate instantiations of the underlying secure-channel implementation (using full NCE), simulatable public-key system and symmetric key encryption scheme. We show that our scheme uses a total of (expected)O(log`)public key operations,O(`)communication and (expected) constant rounds of interaction for the channel setup phase. After channel-setup, encryption is non-interactive and requires only symmetric-key operations. However, the encryption of akbit message requiresO(`k) bits of communication.

2.4 The adaptive security protocol compiler for two-party SFE

As an application of`-NCE, we give a general theorem, along the lines ofClaim 2.1, showing that a protocol with semi-adaptive security can be compiled into a protocol with (full) adaptive security when all of the communication is encrypted using`-NCE for some appropriate`. However, we must first give a formal definition of semi-adaptive security. The main part of the definition is to look at corruption strategies which are more restricted than fully adaptive ones, but less so than static ones.

Definition 2.6. An adversarial strategy is second-corruption adaptive if either at least one of the parties is cor-rupted prior to protocol executionorno party is ever corrupted. In the former case, the other party can be adap-tively corrupted at any point during or after protocol execution. In other words, the first corruption (if it occurs) must be static and the second corruption can then be adaptive.

Intuitively, we’d like to say that a protocol is semi-adaptively secure if it is secure with respect to second-corruption adaptive strategies. Unfortunately, there are two subtleties that we must consider. Firstly, we know that most tasks cannot be realized in the Universal Composability framework without the use oftrusted setup. However, the use of trusted setup complicates our transformation. The point of using (somewhat) non-committing encryption is that the simulator can lie aboutanything that occurs while both parties are honest. However, we often rely on trusted setup in which some information is given to the adversary even when both parties are honest. For example, the usual modeling of a common reference string (seeAppendix A) specifies that this string is made public and given to the adversary even whennoneof the participants in the protocol are corrupted. In this case the simulator is committed to such setup even if the parties communicate over secure channels. Therefore we require that, when trusted setup is used, the semi-adaptive simulator simulates this setup independently of which party is corrupted. We call this property setup-adaptive simulation.

The second subtlety comes from the following type of problem. As we outlined in our informal discussion, we wish to run the semi-adaptive simulator once the first party gets corrupted and then “lie” that the simulated conversation took place over the secure channel. However, when the first party gets corrupted after the protocol execution, then the ideal functionality has already computed the outputs using the honest inputs and will therefore not accept anymore inputs from the semi-adaptive simulator. Recall that we run the semi-adaptive simulator with respect to an adversaryAwhich follows the protocol execution using the corrupted party’s honest inputx. If the semi-adaptive simulator extracts the same inputx as the one used by A, then we also know the corresponding output and can give it to the semi-adaptive simulator on behalf of the ideal functionality. Therefore it is crucial that the semi-adaptive simulator can only submit the actual inputx. We call this propertyinput-preserving.

Definition 2.8. We say that an adversaryAisprotocol-honestif it corrupts one of the partiesP prior to protocol execution and then follows the honest protocol specification using some inputxon behalf of the corrupted party. A simulatorS is input-preserving if, during the simulation of a protocol-honest adversary that corruptsP and runs the honest protocol with inputx, the simulatorSsubmits thesameinputxto the ideal functionalityF_SFEf on behalf ofP.

PuttingDefinition 2.6,Definition 2.7andDefinition 2.8together, we are finally ready to define semi-adaptive security.

Definition 2.9. We say that a protocolπ semi-adaptively realizes the ideal functionalityF if there exists a setup-adaptive and input-preserving PPT simulatorS such that, for any PPT adversaryAand environment Z which follow a second-corruption adaptive adversarial strategy, we haveREALπ,A,Z

c

≈IDEALF,S,Z.

Lastly, we define the notion of a well-structured protocol. Since even non-committing encryption commits the simulator to the lengths of the exchanged messages, the number of such messages, and the identities of the sender and receiver of each message, we require that this information is fixed and always the same. In other words, a protocol execution should have the same number of messages, message lengths and order of communication independent of the inputs or random tape of the participating parties. Almost all known constructed protocols for cryptographic tasks are well-structured and any protocol can be easily converted into a well-structured protocol. The formal definition of well-structured protocols is relegated toAppendix D.

FunctionalityF_SFEf

The functionalityF_SFEf interacts with aninitiatorIand aresponderR. The functionality verifies that all received messages share a consistent valuesid = (I, R,sid0)and ignores them otherwise.

Input: Upon receiving the input value(Input_I,sid, x_I)from the initiatorI, record the valuehI, x_Iiand send the message(Input_I,sid)to the adversaryS. Ignore future(Input_I, . . .)inputs. Similarly, upon receiving the input value(Input_R,sid, x_R)from the responser R, record the valuehR, x_Riand send the message

(Input_R,sid)to the adversaryS. Ignore future(Input_R, . . .)inputs.

Output: Upon receiving the message (Output_I,sid)from the adversary S, if eitherhI, x_Iior hR, x_Riis not recorded, ignore the message. Else ifhy_I, y_Riis not recorded, then compute(y_I, y_R) ← f(x_I, x_R)and record hy_I, y_Ri; send the output value(Output_I,sid, y_I) to I. Ignore future (Output_I, . . .) messages from the adversary. Similarly, upon receipt of(Output_R,sid)from the adversary, send the output value

(Output_R,sid, y_R)toR. Ignore future(Output_R, . . .)messages from the adversary.

Figure 3: A two-party secure evaluation functionality for functionf :XI×XR→YI×YR.

We now have all the definitions needed to formally state the correctness of our compilers for transforming a semi-adaptively secure protocol into a (fully) adaptively secure protocol. First we look at the simple compiler using idealized secure channels. We now state the corrected version ofClaim 2.1.

The intuition behind the above theorem was explained inSection 2.1. Also, as we mentioned, this compiler is usually not very efficient because of its excessive use of secure channels and hence NCE. Recall that secure channels are employed so that, when both parties are honest, the adversary does not see any useful information and so this case is easy to simulate. Then, when the first party gets corrupted, our simulator simply makes up the transcript of the communication that should have taken placeex post facto. This transcript is generated based on which party got corrupted, what its inputs were and what its outputs were. However, we notice that for many simple protocols there are not too many choices for this information. The simulator must simply be able to credibly lie that the communication which took place over the secure channel corresponds to any one of these possible choices. Using this intuition, we are now ready to show that a more efficient compiler using `-NCE (for some small `) suffices.

Theorem 2.11. LetF_SFEf be the two-party ideal functionality computing some functionf :XI×XR→YI×YR,

as defined in Figure 3. Assume that a well-structured two-party protocol π for F_SFEf is semi-adaptively secure. Letπ0 be the protocol in which the parties runπ but only communicate with each other using`-equivocal secure channels as modeled byF<sub>SC</sub>` where`=|XI||YI|+|XR||YR|. Thenπ0is (fully) adaptively secure.

Next we will apply our adaptive security compiler ofTheorem 2.11to the concrete problem of bit OT, resulting in the first efficient protocol for this task.

3

Efficient and Adaptively Secure Oblivious Transfer

We start by giving an ideal functionality for OT, following the modeling of [Can05].

FunctionalityF_OT

FOTinteracts with a senderSand a receiverRand the adversaryS. For each input or message, the functionality verifies thatsid = (R, S,sid0); it ignores it otherwise.

Upon receiving an input(Sender,sid, x0, x1)from partyS, where eachx_i∈ {0,1}, record(x0, x1)and send

(Sender,sid)to the adversary. Ignore further(Sender, . . .)inputs.

Upon receiving an input (Receiver,sid, σ) from party R, where σ ∈ {0,1}, record σ and send

(Receiver,sid)to the adversary. Ignore further(Receiver, . . .)inputs.

Upon receiving a message(Output,sid)from the adversary, if eitherx0, x1orσis not recorded, ignore the message. Else send output(Output,sid, x_σ)toR. Ignore further(Output, . . .)messages from the adversary.

Figure 4: The oblivious transfer ideal functionality,FOT.

3.1 The PVW oblivious transfer protocol

In [PVW08], Peikertet al.construct an efficient OT protocol in the CRS model with UC security against a malicious but static adversary. They do so by introducing a new primitive called adual-mode cryptosystem, which almost immediately yields an OT protocol in the CRS model, and give constructions of this primitive under the DDH, QR and lattice hardness assumptions. We therefore first present a brief (informal and high-level) review of dual-mode encryption as in [PVW08], and then will formally define a modified version of this primitive which will allow us to get adaptive security.

A dual-mode cryptosystem is initialized withsystem parameterswhich are generated by a trusted third party. For any choice of system parameters, the cryptosystem has two types of public/private key pairs:leftkey pairs and rightkey pairs. The key-generation algorithm can sample either type of key pair and the user specifies which type is desired. Similarly, the encryption algorithm can generate aleft encryption or aright encryption of a message. When the key pair type matches the encryption type (i.e. a left encryption of a message under a left public key) then the decryption algorithm (which uses the matching secret key) correctly recovers the message.

x0, x1 σ

xσ

Receiver Sender

crs

(pk, sk)←KG(crsot, σ)

xσ←Dec(crsot, pk, sk, yσ)

(yb, ζb)←Enc(crsot, pk, b, xb)

forb= 0,1 pk

y0, y1

Figure 5: The generic OT protocol in [PVW08].

(b= 0) for the left messagex0 and right-encryption for the right message. The receiver then uses the secret key to correctly decrypt the chosen message.

Security against malicious (static) adversaries in the UC model relies on the two different modes for generating the system parameters: messy mode anddecryptionmode. Inmessy mode, the system parameters are generated together with amessy trapdoor. Using this trapdoor, any public key (even one which is maliciously generated) can be easily labeled a left key or a right key. Moreover, in messy mode, when the encryption type does not match the key type (e.g. a left encryption using a right public key) then the ciphertext is statistically independent of the message. Messy mode is useful to guarantee security against acorrupt receiver:the messy trapdoor makes it easy to extract the receiver bit and to create a fake ciphertext for the message which should not be transferred. On the other hand, indecryption mode, the system parameters are generated together with adecryption trapdoorwhich can be used to decrypt both left and right ciphertexts. Moreover, in decryption mode, left public keys are statistically indistinguishable from right public keys. Decryption mode is useful to guarantee security against acorrupt sender: the decryption trapdoor is used to create a public key which completely hides the receiver’s selection bit, and to compute a decryption trapdoor and extracting both of the sender’s messages. In each mode, the security of one party (i.e., the sender in messy mode, and the receiver in decryption mode) is guaranteed information theoretically. To achieve security for both parties simultaneously all that is needed is one simple computational requirement: the system parameters generated in messy mode need to be computationally indistinguishable from those generated in decryption mode.

3.2 Semi-adaptively secure OT

In order to make the PVW OT protocol adaptively secure using our methodology, we need to make it semi-adaptively secure (Section 2.4). We do so by a series of simple transformations.

First, we observe that in the PVW protocol, the simulator must choose the CRScrsotbased on which party is corrupt – i.e. the CRS should be in messy mode to handle a corrupt receiver or in decryption mode to handle a corrupt sender. This is a problem for us since the definition of semi-adaptive security requires that the simulator is setup-adaptive which means that it must simulate the CRS independently of any information on which parties are corrupted. We solve this issue by using a coin-tossing protocol to choose the CRS of the PVW OT protocol. Of course, coin-tossing requires the use of a UC secure commitment scheme which also need their own CRS (crscom)! However, if we use an (efficient) adaptively secure commitment scheme (e.g. [DN02,DG03]) then the simulator’s choice ofcrscomcan be independent on which party is corrupted. Unfortunately, this approach only works if the CRS for the OT protocol comes from a uniform distribution (over some group) and this too is not the case in all instantiations of the PVW protocol. However, we observe that the CRS of the OT protocol (crsot) can be divided into two partscrsot = (crssys,crstmp), where asystem CRScrssyscan be independent of which party is corrupted (i.e. can be the same for both messy and decryption mode) but may not be uniform, whilecrstmpdetermines the mode (messy or decryption) and thus needs to depend on which party is corrupted, but this part is required to be uniform. Therefore we can use an ideal CRS functionality to choose the setup for our protocol which consists of (crscom,crssys)and then run a coin-flipping protocol to choose the uniform valuecrstmp.

becomes corrupted adaptively during the protocol execution. Let us first consider the case where the sender starts out corrupted. In this case, to handle the corrupt sender, the simulator needs to simulate the execution in decryption mode. Moreover, to extract the sender’s value, the simulator uses the decryption trapdoor to create adual public key(on behalf of the receiver) which comes with both a left and a right secret key. Later, if the receiver becomes corrupted, the simulator needs to explain the randomness used by the receiver during key generation to create such a public key. Luckily, current dual-mode schemes already make this possible and we just update the definition with a property calledencryption key dualityto capture this. Now, consider the case where the receiver is corrupted at the beginning but the sender mightalsobecome corrupted later on. In this case the simulator simulates the execution in messy mode. In particular, the simulator uses the messy trapdoor to identify the receiver key type (right or left) and thus extract the receiver bit. Then the simulator learns the appropriate sender message for that bit and (honestly) produces the ciphertext for that message. In addition, the simulator must produce a “fake” ciphertext for the other message. Since, in messy mode, this other ciphertext is statistically independent of the message, it is easy to do so. However, if the sender gets corrupted later, the simulator mustexplainthe fake ciphertext as an encryption of some particular message. To capture this ability, we require the existence ofinternal state reconstructionalgorithm which can explain the fake ciphertext as an encryption of any message. Again, we notice that the QR instantiation of the PVW scheme already satisfies this new notion as well.

Enhanced Dual-Mode Encryption. A dual-mode cryptosystem for message space{0,1}nis defined by the fol-lowing polynomial-time algorithms:

(crs, τ)←PG(1λ_{, µ). The parameter generation algorithmPGis a randomized algorithm which takes security}

parameter λ and mode µ ∈ {mes,dec} as input, and outputs (crs, τ), where crs is a common reference string andτ is the corresponding trapdoor information. For notational convenience, the random coins used for parameter generation are also included inτ. Note that our parameter generationPGincludes two stagesPGsys and PGtmp, i.e., compute (G,crssys, τsys) ← PGsys(1λ) and (crstmp, τtmp) ← PGtmp(µ, G,crssys, τsys) whereGis a group with operator “+”, and setcrs ← (crssys,crstmp) andτ ← (τsys, τtmp). Note that the system CRS is independent of modeµ.

(pk,sk) ← KG(crs, σ). The key generation algorithmKGis a randomized algorithm which takescrs and a key typeσ ∈ {0,1}, and outputs a key pair(pk,sk), wherepk is an encryption key andsk the corresponding decryption key for message encrypted on key type σ. The random coins used for key generation are also included insk.

(c, ζ)←Enc(crs, pk, b, m). The encryption algorithmEncis a randomized algorithm which outputs a cipher-textcfor a messagemon encryption typeb. Hereζis the random coins used for encryption.

m←Dec(crs,pk,sk, c). The decryption algorithmDecis a deterministic algorithm which decrypts ciphertext

cinto plaintextm.

ρ ← MessyId(crs, τ,pk). The messy branch identification algorithm MessyIdis a deterministic algorithm which based on the trapdoorτ computes the key typeρcorresponding to a messy branch ofpk.

(c, ω) ← FakeEnc(crs, τ,pk, ρ). The fake encryption algorithmFakeEncis a randomized algorithm. For the messy branchρ, the ciphertextcis faked by using the trapdoorτ, and some internal informationωis saved for reconstructing the random coins used for encryption.

ζ ←Recons(crs, τ,pk, ρ, c, ω, m). The internal state reconstruction algorithmReconsis a deterministic algo-rithm. When the plaintextmis supplied for the faked ciphertextcin messy branchρ, the algorithm recover the used random coinsζ based on previously generated internal informationω.

(pk,sk0,sk1) ← DualKG(crs, τ). The dual key generation algorithm DualKGis a randomized algorithm, which based on the trapdoorτ, outputs an encryption keypk, and two decryption keyssk0,sk1corresponding to key type 0 and 1, respectively.

Definition 3.1(EnhancedDual-Mode Encryption). Anenhanced dual-mode cryptosystemis a tuple of algorithms as described above satisfying the following properties:

COMPLETENESS: For every µ ∈ {0,1}, (crs, τ) ← PG(1λ, µ), m ∈ {0,1}n, σ ∈ {0,1}, and (pk,sk) ←

KG(crs, σ), the decryption on branch σ is correct except with negligible probability; i.e.,Dec(crs,pk,sk,

c) =m, where(c, ζ)←Enc(crs, pk, σ, m).

tem-poral CRSes are computationally indistinguishable from random elements in groupG, i.e.,

{crstmp}(crs,τ)←PG(1λ_,mes) c

≈ {crstmp}

crstmp←$G

c

≈ {crstmp}(crs,τ)←PG(1λ_,dec)

MESSY BRANCH IDENTIFICATION AND CIPHERTEXT EQUIVOCATION: For every (crs, τ) ← PG(1λ,mes)and every pk, MessyId(crs, τ,pk) outputs a branch value ρ such that for every m ∈ {0,1}n, Enc(crs,pk, ρ,·) is simulatable, i.e.,{c, ζ}_(c,ζ)←Enc(crs,pk,ρ,m)

s

≈ {c, ζ}(c,ω)←FakeEnc(crs,τ,pk,ρ),ζ←Recons(crs,τ,pk,ρ,c,ω,m)

ENCRYPTION KEY DUALITY: For every (crs, τ) ← PG(1λ,dec), there exists (pk,sk0,sk1) ← DualKG(crs, τ) such that for every σ ∈ {0,1}, (pk,skσ) is statistically indistinguishable from the honestly generated key

pair, i.e.,{pk,skσ}(pk,sk0,sk1)←DualKG(crs,τ) s

≈ {pk,sk}(pk,sk)←KG(crs,σ)

Construction.Based on the above transformations, a generic construction for a semi-adaptively secure OT protocol is given inFigure 6. It consists of two phases, the coin tossing phase and the transferring phase (which is separated by a dot line in the figure). The CRS consists of two pieces: the first piece is a system CRS denoted ascrssys, while the second piece is for an adaptively secure UC commitment protocol which will be used for constructing a coin tossing protocol. The UC commitment includes two stages, the commit and the open stages which could be interactive; a randomly selected valueris committed by the receiver for the sender in the commit stage, and after receiving a randomly selected valuesfrom the sender, the receiver open the committed rto the sender, and both sender and the receiver can compute a temporal CRScrstmpbased onsandr. The temporal CRScrstmptogether with the system CRScrssyswill be used as the CRS for the transferring phase and we denote it ascrsot. Withcrsot in hand, we “plug in” the PVW protocol (Figure 5) but based on the enhanced dual-mode cryptosystem to achieve message transferring.

Theorem 3.2. Given an adaptively UC-secure commitment scheme and an enhanced dual-mode cryptosystem as inDefinition 3.1, the protocol inFigure 6semi-adaptively realizesFOTin theFCRS-hybrid model.

By “plugging in” efficient instantiations of the two building blocks above, we obtain efficient concrete protocols for semi-adaptively secure OT. For example, good candidates for adaptively secure UC commitments can be found in [DN02, DG03], while a QR-based dual-mode encryption scheme is presented in [PVW08]. InAppendix F, we show that this scheme also satisfiesDefinition 3.1. As mentioned in Section 1, a semi-adaptively secure OT protocol can also be based on the DDH assumption. In this case, however, in order to make ciphertext equivocation possible, we also need an efficientΣ-protocol for the equality of discrete logs. (SeeAppendix Gfor more details.)

3.3 Efficient and adaptively secure Bit OT protocol

We now apply our compiler fromSection 2.4to the protocol inFigure 6, to immediately obtain an efficient adap-tively secure OT protocol in the UC framework.

Corollary 3.3. Assume that the DDH, QR, and DCR assumptions hold. Then there exists an adaptively secure protocol that UC-realizes thebit-OT functionalityFOTin theFCRS-hybrid world, running in (expected) constant number of rounds and using (expected) constant number of public-key operations.

Justification for the assumptions is as follows: efficient adaptive UC commitments can be realized in the CRS model under the DCR assumption [DN02], non-committing and somewhat non-committing encryption can be constructed under DDH ([DN00] and Section 2, respectively), while enhanced dual-model encryption exists under the QR assumption ([PVW08] andSection 3).

3.4 Efficient and adaptively securestringOT

s

V

commit

V

open

x

, x

σ

x

xσ

S

R

Receiver

Sender

C

crsot ←(crssys,crstmp)

crstmp←r+s

crsot ←(crssys,crstmp)

crstmp ←r+s

crs

,

crs

, G

C

s←$ G

r←$ G

r,crscom

crs

crs

crs

(pk, sk)←KG(crsot, σ)

xσ←Dec(crsot, pk, sk, yσ)

(yb, ζb)←Enc(crsot, pk, b, xb)

forb= 0,1

pk

y

, y

r

Figure 6: Generic semi-adaptively secure OT protocol. Here C =====commit⇒ V and C ===open⇒ V denote the commit and the open stages of an adaptive UC-secure commitment protocol based on CRScrscom. crssysis the system CRS, and S R is the PVW protocol (Figure 5), but based on our enhanced dual-mode encryption scheme.

Theorem 3.4. Assume that the DDH and DCR assumptions hold. Then there exists an adaptively secure protocol that UC-realizes thestring-OT functionalityFOT in the FCRS-hybrid world, and can transfer ann-bit string in (strict) constant number of rounds and using (strict)O(n)public-key operations.

Acknowledgements

We thank Ran Canetti, Yevgeniy Dodis, Yuval Ishai, Stas Jarecki and Aggelos Kiayias for their help. Specially, an early discussion with Ran advances this work.

References

[Bea97] Donald Beaver. Plug and play encryption. In Burton S. Kaliski Jr., editor,CRYPTO, volume 1294 ofLecture Notes in Computer Science, pages 75–89. Springer, 1997.

[BH92] Donald Beaver and Stuart Haber. Cryptographic protocols provably secure against dynamic adversaries. In EUROCRYPT, pages 307–323, 1992.

[Can01] Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. InFOCS, pages 136–145. IEEE Computer Society, 2001.

[Can05] Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. InCryptology ePrint Archive, Report 2000/067, December 2005. Latest version athttp://eprint.iacr.org/2000/

067/.

[CDD+04] Ran Canetti, Ivan Damg˚ard, Stefan Dziembowski, Yuval Ishai, and Tal Malkin. Adaptive versus non-adaptive security of multi-party protocols.J. Cryptology, 17(3):153–207, 2004.

[CDMW09] Seung Geol Choi, Dana Dachman-Soled, Tal Malkin, and Hoeteck Wee. Simple, black-box constructions of adaptively secure protocols. In Omer Reingold, editor,TCC, volume 5444 ofLecture Notes in Computer Science, pages 387–402. Springer, 2009.

[CFGN96] Ran Canetti, Uriel Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In STOC, pages 639–648, 1996.

[CK02] Ran Canetti and Hugo Krawczyk. Universally composable notions of key exchange and secure channels. In Lars R. Knudsen, editor,EUROCRYPT, volume 2332 ofLecture Notes in Computer Science, pages 337–351. Springer, 2002. Full version athttp://eprint.iacr.org/2002/059/.

[CKL06] Ran Canetti, Eyal Kushilevitz, and Yehuda Lindell. On the limitations of universally composable two-party computation without set-up assumptions. J. Cryptology, 19(2):135–167, 2006. Preliminary version appeared in Eurocrypt 2003.

[CLOS02] Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai. Universally composable two-party and multi-party secure computation. InSTOC, pages 494–503. ACM, 2002. Full version athttp://eprint.iacr.

org/2002/140/.

[Coc01] Clifford Cocks. An identity based encryption scheme based on quadratic residues. In Bahram Honary, editor, IMA Int. Conf., volume 2260 ofLecture Notes in Computer Science, pages 360–363. Springer, 2001.

[Dam00] Ivan Damg˚ard. Efficient concurrent zero-knowledge in the auxiliary string model. In EUROCRYPT, pages 418–430, 2000.

[DG03] Ivan Damg˚ard and Jens Groth. Non-interactive and reusable non-malleable commitment schemes. InSTOC, pages 426–437. ACM, 2003. Full version at http://www.brics.dk/˜jg/STOC03NMcommitment. pdf.

[DN00] Ivan Damg˚ard and Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. In Mihir Bellare, editor,CRYPTO, volume 1880 ofLecture Notes in Computer Science, pages 432–450. Springer, 2000.

[DN02] Ivan Damg˚ard and Jesper Buus Nielsen. Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor. In Moti Yung, editor, CRYPTO, volume 2442 of Lecture Notes in Computer Science, pages 581–596. Springer, 2002. Full version athttp://www.brics.dk/RS/01/41/

BRICS-RS-01-41.pdf.

[DN03] Ivan Damg˚ard and Jesper Buus Nielsen. Universally composable efficient multiparty computation from threshold homomorphic encryption. In Dan Boneh, editor,CRYPTO, volume 2729 ofLecture Notes in Computer Science, pages 247–264. Springer, 2003.

[DNO08] Ivan Damg˚ard, Jesper Buus Nielsen, and Claudio Orlandi. Essentially optimal universally composable oblivious transfer. In Pil Joong Lee and Jung Hee Cheon, editors,ICISC, volume 5461 ofLecture Notes in Computer Science, pages 318–335. Springer, 2008. Available athttp://eprint.iacr.org/2008/220/.

[GMW87] Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or A completeness theorem for protocols with honest majority. InSTOC, pages 218–229. ACM, 1987.

[GMY04] Juan A. Garay, Philip MacKenzie, and Ke Yang. Efficient and universally composable committed oblivious transfer and applications. In Moni Naor, editor,TCC, volume 2951 ofLecture Notes in Computer Science, pages 297–316. Springer, 2004.

[IKLP06] Yuval Ishai, Eyal Kushilevitz, Yehuda Lindell, and Erez Petrank. Black-box constructions for secure computa-tion. InSTOC, pages 99–108. ACM, 2006.

[IPS08] Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding cryptography on oblivious transfer – efficiently. In David Wagner, editor,CRYPTO, volume 5157 ofLecture Notes in Computer Science, pages 572–591. Springer, 2008.

[JS07] Stanislaw Jarecki and Vitaly Shmatikov. Efficient two-party secure computation on committed inputs. In Moni Naor, editor,EUROCRYPT, volume 4515 ofLecture Notes in Computer Science, pages 97–114. Springer, 2007.

[KO04] Jonathan Katz and Rafail Ostrovsky. Round-optimal secure two-party computation. In Matthew K. Franklin, editor,CRYPTO, volume 3152 ofLecture Notes in Computer Science, pages 335–354. Springer, 2004.

[Lin08] Andrew Y. Lindell. Efficient fully-simulatable oblivious transfer. In Tal Malkin, editor,CT-RSA, volume 4964 ofLecture Notes in Computer Science, pages 52–70. Springer, 2008.

[Lin09] Yehuda Lindell. Adaptively secure two-party computation with erasures. InCT-RSA, 2009. Available athttp:

//eprint.iacr.org/2009/031/. To appear.

[LP07] Yehuda Lindell and Benny Pinkas. An efficient protocol for secure two-party computation in the presence of malicious adversaries. In Moni Naor, editor,EUROCRYPT, volume 4515 ofLecture Notes in Computer Science, pages 52–78. Springer, 2007.

[LZ09] Yehuda Lindell and Hila Zarosim. Adaptive zero-knowledge proofs and adaptively secure oblivious transfer. In Omer Reingold, editor,TCC, volume 5444 ofLecture Notes in Computer Science, pages 183–201. Springer, 2009.

[Nie02] Jesper Buus Nielsen. Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case. In Moti Yung, editor, CRYPTO, volume 2442 ofLecture Notes in Computer Science, pages 111–126. Springer, 2002.

[Nie03] Jesper Buus Nielsen. On protocol security in the cryptographic model. Dissertation Series DS-03-8, BRICS,

2003.http://www.brics.dk/DS/03/8/BRICS-DS-03-8.pdf.

[Nie05] Jesper Buus Nielsen. Universally composable zero-knowledge proof of membership. Manuscript, 2005. Avail-able athttp://www.daimi.au.dk/˜buus/n05.pdf.

A

The Universal Composability Framework

The UC framework was proposed by Canetti for defining the security and composition of protocols [Can01]. In this framework one first defines an “ideal functionality” of a protocol, and then proves that a particular implementation of this protocol operating in a given computational environment securely realizes this ideal functionality. The basic entities involved arenplayersP1, . . . , Pn, an adversaryA, and an environmentZ. The real execution of a protocol

π, run by the players in the presence ofAand an environment machineZ, with inputz, is modeled as a sequence ofactivationsof the entities. The environmentZ is activated first, generating in particular the inputs to the other players. Then the protocol proceeds by havingAexchange messages with the players and the environment. Finally, the environment outputs one bit, which is the output of the protocol.

The security of the protocols is defined by comparing the real execution of the protocol to an ideal process in which an additional entity, the ideal functionalityF, is introduced; essentially,F is an incorruptible trusted party that is programmed to produce the desired functionality of the given task. The players are replaced by dummy players, who do not communicate with each other; whenever a dummy player is activated, it forwards its input to

F. LetAdenote the adversary in this idealized execution. As in the real-life execution, the output of the protocol execution is the one-bit output ofZ. Now a protocolπsecurely realizesan ideal functionalityFif for any real-life adversaryAthere exists an ideal-execution adversaryS such that no environmentZ, on any input, can tell with non-negligible probability whether it is interacting withAand players runningπin the real-life execution, or withS andFin the ideal execution. More precisely, if the two binary distribution ensembles,REAL_π,A,Z andIDEALF,S,Z, describingZ’s output after interacting with adversary Aand players running protocolπ (resp., adversaryS and ideal functionalityF), are computationally indistinguishable (denotedREAL_π,A,Z

c

≈ IDEALF,S,Z). For further

details on the UC framework refer to [Can05].

As was observed in [CKL06], most functionalities cannot be realized in the UC framework without some setup. One common form of setup is the common reference string (CRS). We model a CRS as an ideal functionalityF_CRSD which is shown inFigure 7.

FunctionalityF_CRSD

FD

CRSis parameterized by a PPT sampling algorithmD.

On input(CRS,sid)fromP, verify thatsid = (P,sid0)wherePis a set of identities, andP ∈ P; else ignore the input. Next if there is no valuecrsrecorded then choosecrs ← D()and record it. Send(CRS,sid,crs, P)

toS; when receiving(CRS,sid,crs)fromS, send(CRS,sid,crs)toP.

Figure 7: The common reference string ideal functionality,FCRS.

B

Review of Simulatable Public Key Systems from [

DN00

]

Asimulatable public key systemis defined by a tuple(KG,Enc,Dec)consisting of the key-generation, encryption and decryption algorithms respectively. For the definition of security, we also require the existence of an

oblivi-ous public key generatorKGf and a correspondingkey-faking algorithmKGf

−1

. Similarly, we require anoblivious

ciphertext generatorEncg and a correspondingciphertext-faking algorithm Encg

−1

. Intuitively, the key-faking al-gorithm is used to explain a legitimately generated public key as an obliviously generated public key. Similarly, the ciphertext-faking algorithm is used to explain a legitimately generated ciphertext as an obliviously generated ciphertext.

The simulatable pubic key system has the following three properties.

Semantic Security: For allm0, m1 in the appropriate domain, consider the experiment(pk, sk) ←KG(),C0 ←

Encpk(m0),C1 ←Encpk(m1). Then(pk, m0, m1, C0)

c

≈(pk, m0, m1, C1).

Oblivious PK Generation: Consider the experiment(pk, sk)←KG(),r←KGf

−1

(pk)andpk0 ←KGf(r0). Then

Oblivious Cipher-text generation: For any messagemin the appropriate domain, consider the experiment(pk, sk)←

KG(),C1 ←Encg_pk(r₁),C₂ ←Enc_pk(m;r₂),r0₁←Encg

−1

pk(C2). Then (pk, r1, C1)

c

≈(pk, r0 1, C2)

C

Efficiency of Our

`

-NCE Scheme

Let us look at the efficiency of the construction. For concreteness we will assume that the secure channel used to encrypt the index iare implemented using the NCE protocol of [DN00]. The simulatable public-key system (which we use during channel setup and also which is used in the protocol of [DN00]) can be instantiated with e.g. ElGamal Encryption. Lastly, the symmetric key system can be implemented very efficiently using some variable length encryption algorithm e.g. AES in CBC mode.

The protocol of [DN00] is anexpected6 round protocol which exchanges atbit message using anexpected

O(t)number of operations.4Since we use the NCE protocol to send an indexi∈ {1, . . . , `}, this requiresO(log`) number of public key operations. In addition to NCE, we use the simulatable public key system. However, we only use it to perform one encryption/decryption operation andO(`)oblivious key-sampling, ciphertext-sampling operations. For ElGamal, this just means choosing random group elements which is efficient and hence we do not count it as a public key operation. Lastly, for the encryption phase we only use symmetric key operations. This gives us a total of (expected) O(log`) public key operations, O(`)communication and fewer than (expected) 8 rounds of interaction for the channel setup phase. After channel-setup, encryption is non-interactive and requires only symmetric key operations. However, the encryption of akbit message requiresO(`k)communication.

D

Well-Structured Protocols

Definition D.1. A protocolπ for the functionality F_SFEf iswell-structuredif, on input(Input_I,sid, xI)the

ini-tiatorI sends some message of lengthk0 toR. The responderRstores messages fromI until receiving its input (Input_R,sid, xR). Then the execution of the protocol proceeds in roundsi= 1, . . . , nwhere, in each roundithe

partybi sends a messagemi of lengthki to the party1−bi wherebiswitches in each round. In other words, the

first message from the initiatorI can be considered round 0 so thatPb0 is the initiator and, for each successive

roundi,bi = 1−bi−1.

We require that the message sizeskiand the number of roundsnare completely determined by the protocol and

are independent of the input values or random coins of the parties.

E

Proofs

E.1 Proof ofTheorem 2.5

We need to show that our protocol inFigure 2realizes the F_SC` functionality described in Definition 2.4. This functionality is parametrized by two oracles: the message-ignoring oracleRand the message-processing oracle

M. We define these oracles based on our actual protocol construction. In essence the oracleMcorresponds to the actions of the parties for the indexichosen during channel setup, while the oracleRcorresponds to all other indices in{1, . . . , `}. In particular:

• On input(ChSetup,sid), the oracleMsamples(pk, sk) ← KG(),K ← KGsym(),C ← Encpk(K). The

oracleRsamplespk←KGf(),C←Encg_pk().

• On input(Send,sid, m), the oracleMsamplesC ←Encsym_K (m). The oracleRsamplesCrandomly. We must first show that the oraclesMandRare indistinguishable. We do so using a hybrid argument.

4

For large messages (larger than the security parameter) the protocol of [DN00] can be madeguaranteed3 round. However, the tradeoff is that the number of public key operations is at least security parameter. Since we consider very small messages (3 bits) we settle for the

1. We start with the message-processing oracleM.

2. We now modify the oracle so that, for allSendcommands, it chooses the symmetric-key ciphertextC ran-domly instead of computingC ←Encsym_K (m). This modification is indistinguishable from the initial oracle since ciphertexts produced by the symmetric key scheme are indistinguishable from random ciphertexts.

3. We now modify the oracle from step 2 so that, for all ChSetup commands, instead of computing C ←

Encpk(K), it computesC ← Encg_pk(). This oracle is indistinguishable from that of step 2 by the oblivious

ciphertext generation property.

4. Lastly we modify the oracle from step 3 so that, forChSetupcommands, instead of computing(pk, sk) ←

KG() it computespk ← KGf(). This oracle is indistinguishable from that of step 3 by the oblivious key

generation property.

The last step yields the message-ignoring oracleR. HenceMandRare computationally indistinguishable. The two oracleM,Rnow define the complete non-information oracleN` and hence the`-equivocal secure channel functionalityF_SCN`. We must now describe an ideal-world simulation of our`-NCE protocol.

The simulation while both parties are honest is actually very simple since the non-information oracleN actually runs the protocol and hence there is little that our simulatorSmust do! Essentially, to simulate the secure transfer of the index i, the simulator simply sends the length of the message (which is known since `is known) to the adversaryA. To simulate the rest of the channel setup phase and also any encryption commands, the simulatorS just passes all information fromN to the adversaryA.

The only difficult part is simulating the first corruption. In the ideal world, the simulator is only given the internal state of the single machineNiwhich is the message-processing oracles. In the real-world the state of the

corrupted party also includes the randomness for all of the obliviously-generated public keys and ciphertexts (i.e. the internal state of all of the message-ignoring oracles). But the simulator can simulate this easily by using the ciphertext-faking and key-faking algorithms. In other words, for each symmetric key ciphertextCsymproduced by an oracleNi, the simulator simply sets the random coins of the sender asCsym(since it is just a uniformly random

value). Moreover, for each public key ciphertextC, the simulator sets the internal state of its sender asEncg

−1

pk(C).

Lastly for each public keypk, the simulator sets the internal state of its sender asKGf

−1 (pk).

We can view the real world protocol as a series of the same`oraclesN1, . . . ,N`whereNi (for the transferred

indexi) is the above described message-processing oracle and the rest are message-ignoring oracles. Hence the only difference between the real world and the ideal world is how the random coins of the corrupted party for its message-ignoring oracles are generated. In the real-world the adversary gets the actual coins while in the ideal-world the adversary gets coins produced by the faking algorithms. Let us denote the worlds by tuples showing which oracles are running for all indices other thani(i.e. either message-processing or messsage-ignoring) and how the state is generated (i.e. actual state, faked state). So the real world can be represented as a tuple (message-ignoring, actual). But, by the properties of the simulatable public key system, this is indistinguishable from the world (message-processing, faked). Lastly, since the fake algorithms do not use any secrets, and message-ignoring oracles are indistinguishable from message processing oracles, the world (message-processing, faked) is indistinguishable from (message-ignoring, faked). But this is the ideal world, and hence we have shown that the real-world is indistinguishable from the ideal world.

E.2 Proof ofTheorem 2.10

By assumption, the underlying protocolπis well-structured and there is a simulatorSsemiwhich is setup-adaptive

and input-preserving, such thatπ realizes the two-party functionality F_SFEf against a second-corruption adaptive adversary. In particular for any second-corruption adaptive adversaryAsecthere isSsemisuch that for any

environ-mentZsec

REALπ,Asec,Zsec

c

≈IDEAL_Ff

SFE,Ssemi,Zsec

We now construct a simulatorSfor the protocolπ0that uses fully non-committing secure channels. The simulator